◆ As the new coronavirus, COVID-19, spreads across the United States, the HHS Office for Civil Rights (OCR) is reminding HIPAA covered entities and business associates that the protections in the HIPAA privacy rule “are not set aside during an emergency,” even though HIPAA allows disclosures of protected health information (PHI) that’s necessary for public health officials to carry out their public health mission.[1] Covered entities can disclose PHI to the Centers for Disease Control and Prevention or to a state or local health department, and also can disclose PHI “as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations,” OCR said. In addition, “health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public,” consistent with applicable laws and the provider’s standards of ethical conduct, OCR said. For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” standard, the agency said.
◆ In the event of a coronavirus emergency, all employers, including those considered covered entities under HIPAA, will have freedom to share employee information as necessary “to prevent or lessen a serious and imminent threat to the health and safety of a person or the public—consistent with applicable law,” wrote attorney Tiffany Downs, a partner at FordHarrison.[2] This means an employer may disclose an employee’s health information to anyone in a position to prevent or lessen the serious and imminent threat, including family, friends, co-workers, caregivers and law enforcement, without an employee’s permission, Downs said. Most employers are not covered entities and therefore not subject to HIPAA’s privacy rule, Downs said, but she noted that an employer may fall under HIPAA if it sponsors a group health plan from which it receives PHI. Still, an outbreak of an infectious disease such as the coronavirus means that HIPAA-covered employers will have the same freedom as HIPAA-excluded employers to share information in order to reduce the threat, Downs said.
◆ Walgreens has notified California officials that it has discovered an error within its mobile app that might have led to unauthorized disclosure of secure messages customers stored in the app. In its notification letter,[3] the drug store giant said it discovered the error within the personal secure messaging feature on Jan. 15. “Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app.” The company said in the letter that it temporarily disabled message viewing to prevent further disclosure, and then implemented a technical correction to resolve the issue. It’s unclear how many customers were affected by the breach.
◆ Millions of people have used the app and website offered by GoodRx to save money on prescription drugs that aren’t covered by their insurance. However, an investigation by Consumer Reports[4] found that GoodRx is sharing personally identifiable data with more than 20 companies, including Google, Facebook and a marketing company called Braze. The data contains enough detail to allow those companies to pinpoint whose phone or laptop is being used, and to speculate with some accuracy on those people’s potential medical diagnoses. Testing of the app and website was led by Bill Fitzgerald, a privacy researcher in Consumer Reports’ Digital Lab. “We observed sensitive information being passed along,” he said, adding, “the app and site don’t need to be designed this way.” Both Google and Facebook denied using prescription information to target users with ads, and following publication of the report, GoodRx said it would stop sharing information with Facebook. Although HIPAA does not apply to GoodRx, doctors interviewed by Consumer Reports say they recommend GoodRx as a solution, many without realizing that private information could be revealed.
◆ An accounting firm based in Albany, New York, was hit by a ransomware attack that potentially compromised patient data belonging to a local medical group, Community Care Physicians P.C. (CCP).[5]On Dec. 7, the accounting firm, BST & Co. CPAs LLP, learned that part of its network was infected with a virus that prohibited access to its files. According to a statement from Community Care, BST “quickly restored its systems” and engaged a forensic investigation firm to determine the nature and scope of the incident. The statement went on to say that “after a thorough analysis of all available forensic evidence, the investigation determined the virus was active on BST’s network from December 4, 2019 to December 7, 2019,” and gained access to part of the network where CCP’s files are kept. BST then reviewed the files in detail to determine whether they contained personal health information, and has confirmed the files did contain some personal information. The information affected does not include sensitive data such as bank account numbers and Social Security numbers, nor does it include medical diagnoses, the physician group said in a statement. “Instead, the information that may have been exposed includes name, date of birth, billing codes, insurance description (a definition of the billing/CPT code) and medical record number.” More than 500 people were involved, the physician group said.
◆ The Harris County Health System in Texas has issued a warning to nearly 1,200 patients that their protected health information may have been misplaced when two envelopes were lost in transport in late December.[6]The two envelopes were being moved from the Gulfgate Health Center to Ben Taub Hospital for electronic record-keeping. Health system officials said they believe the breach only affects around 25 patients, but they don’t know which 25, so they are notifying nearly 1,200 patients who visited the health center between Dec. 9 and Dec. 27, 2019. Patient information that could be compromised includes names, Social Security numbers, dates of birth, addresses, phone numbers and medical information.
◆ A company in Lincoln, Nebraska, that offers performance measurement and management services for health care companies, NRC Health, said it was the victim of a ransomware attack on Feb. 11.[7] In a statement, NRC chief information officer Paul Cooper said NRC immediately shut down its system, launched an investigation and notified the FBI. As of late February, the company hadn’t yet restored all systems and services, although it anticipated doing so “in the coming days,” Cooper said, adding, “at this time, there is still no evidence of unauthorized access to or acquisition of any data from our systems, including protected health information or other confidential information as a result of this incident.” Still, some of the company’s clients expressed concern that NRC might eventually conclude this was a breach.
◆ Major provisions of New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act[8] take effect on March 21, and attorneys with Pepper Hamilton LLP are urging entities doing business in the state to get ready.[9] The SHIELD Act significantly expanded the scope of New York’s data security law, heightening the data security requirements that must be adopted; broadening what constitutes a breach to include unauthorized access, instead of just the unauthorized acquisition of computerized data; and broadening notice requirements, including requiring notice to the New York Attorney General of breaches involving entities that are regulated by HIPAA or the HITECH Act.[10] Violations of New York’s SHIELD Act are enforceable by the state attorney general and can lead to civil penalties of $5,000 per violation.
◆ Munson Healthcare in Traverse City, Michigan, recently experienced a data breach where employee email accounts were accessed by an unauthorized third party. Following an investigation, it was found that some of the email accounts that were accessed contained identifiable personal and protected health information. Patient names, insurance information, dates of birth, treatment, and diagnostic information were contained in the email accounts. Munson Healthcare also said a limited number of individuals’ financial account numbers, driver’s license numbers and Social Security numbers were affected. There’s no evidence that any information has been used by the unauthorized third party that accessed it, according to the organization.[11]
◆ The St. Louis Fire Department’s role in a television series has been placed on hold while federal officials investigate whether the department is in violation of HIPAA.[12]The fire department had been participating in the cable TV show Live Rescue, aired by A&E, until it received a letter from HHS stating that it was reviewing the department’s partnership with the show for possible violations of federal patient privacy rules. Live Rescue is a reality TV show that features “almost live” feeds of fire crews and emergency medical service units in seven U.S. cities. The show includes pre-taped segments, but a big draw for audiences is “almost live” footage of emergency responses that usually airs within about 20 minutes after it is filmed. Live Rescue has been on the air since April 2019, and at least one St. Louis resident has said she was filmed without her consent following a car crash.